Consider for a moment: a company or school set up as an Enterprise Mobile Device Management provider, handing everyone out ChromeOS devices, setting up their GSuite domain so that nobody can connect to their GSuite GMail accounts except through the ChromeOS device (or an equivalent MDMed mobile device), and setting up an automatic, un-disable-able VPN on those devices for accessing Google domains.
I think that’s the scenario Google had in mind when designing this feature. For enterprise users, where the enterprise controls the hardware, the policy-level controls actually have teeth, because people don’t have root over the devices in their possession. For everyone else, it’s not “real security”, but rather just a gateway drug to get you used to the workflow that “real security” would provide in an enterprise context.
(Context: I used to work at IBM, and they had a very similar setup—company issued laptop, app that enforces MDM profile installation, VPN that checks with the app to ensure MDM is active before connecting, email servers only accessibly through said VPN, and, on top of all that, a policy-enforcing email app [IBM Notes] where you can delete already-sent things out of other enterprise-users’ inboxes, send expiring emails, etc.)
It's worth mentioning that all these measures can be fairly trivially defeated by the analog loophole[1]. I suppose it's harder to prove authenticity in that case, however.
Allow me to sell your organisation some VR goggles with iris-reading DRM protection. Your browser won't display on any other screen. And Google Services won't work in any other browser.
Sure it's harder, and it will not stand up in a court of law probably. But there probably have been and still are a ton of spies, national and industrial, who do exactly this, memorize things.
As an employee of a very large corporation, are you trying to claim a special inside knowledge about the strategic thinking of the corporation. Are you in or do you report to the C-suite?
If not, consider that you might be making your own broadly wrong assumptions.
There are undoubtedly a variety of ways to bypass things for a motivated attacker. Analog is likely only one of those.
The thing that a lot of these measures protect against is not so much a targeted attack, it's stupid user tricks. It's not protection against Jane the Spy extracting as much information as she can, it's a measure against Danny the drunk who leaves his laptop at a bar or sitting in the back seat of the car where it's visible and stolen.
There are also likely a lot of places where it would be illegal to use something like this with auto expiring messages, though hopefully most such places won't be using Gmail.
But as a worker in a corporation, the chances that you would want an email so badly that you start breaking more corporate rules trying to get a copy of an email is very unlikely at least for common everyday work.
This could be a useful feature when dealing with PHI, legal, HR, etc.
I know people who have taken photos of protected documents with their phones to send to their team, because IT couldn’t get their permissions working properly. It seems like it’s not worth the risk to break an obvious rule like that, but when you’re the manager the responsibility lands on you to get your team the info they need.
Yes, that's the risk exactly. If you start taking pictures of PHI on your phone over and over eventually your manager like the one above you is going to get fed up and drive you or fire you out of a job.
>as a worker in a corporation, the chances that you would want an email so badly that you start breaking more corporate rules trying to get a copy of an email is very unlikely
This seems like it should be true, but having worked with end users in the past I would not take this for granted
I disagree, there have been politicians that go through the trouble of setting up their own email server in their basement because the official way is too arcane or not comfortable.
They said corporation, not government. Do you have an example of a low level employee or C level executive using private email server for their official communication.
The analog loophole can’t prevent leakage but steganography can trace it back to its source. Iirc Windows 8 prerelease copies used to put an imperceptible watermark on the screen of the user account. When a leak was published to the news a simple filter would tell Microsoft who to fire.
I would have thought that IBM and other corporates would be keen to have things Like Confirmed Delivery , Non-repudiation and all the other nice things that x.400 (88) and X.500 promised.
> I used to work at IBM, and they had a very similar setup—company issued laptop, app that enforces MDM profile installation, VPN that checks with the app to ensure MDM is active before connecting, email servers only accessibly through said VPN
Unless you were on a Fedora workstation.
That was a fun discovery. Never figured out who at IT I should inform before I quit.
Or screen capture, or inspect element, or taking a picture with your phone, or JS injection, or using an extension, or IMAP...
The only way for this to work is to restrict the user freedom so much it will:
- cost a huge amount of money
- lower the productivity
- kill the mood of everybody
My take on this is that if your industry really needs this kind of feature, either you suck as a human being and I don't want to work for you, or you are doing something amazing and secretive and in this case you don't use gmail.
Well, I tried it out. At least the IMAP is partially mitigated since you basically get a link to a separate web page -- the contents aren't embedded in the email itself.
On the other hand, that means there's no reason to resort to something as complicated as JS injection or dev tools. Screenshots will usually work fine, because messages aren't threaded, so you'll likely get the entire message showing up on one page. They do block Ctrl-S, they use a click handler that prevents it from reaching the browser. Very fiendish, very clever. Except that the save button still works in the menu.
On the plus side, I'm now wondering if that, "go to the top of your menu and hit the file->save button" exploit would make me eligible for a bug bounty, since according to their documentation I should need malicious software to download the message. I guess Chrome falls into that category though?
> Well, I tried it out. At least the IMAP is partially mitigated since you basically get a link to a separate web page -- the contents aren't embedded in the email itself.
Wow, so it kills your offline productivity as well, and of course make back ups and archiving harder. I know it's kinda of the point, but I haven't realized the implications of it until you said so.
I think that’s the scenario Google had in mind when designing this feature. For enterprise users, where the enterprise controls the hardware, the policy-level controls actually have teeth, because people don’t have root over the devices in their possession. For everyone else, it’s not “real security”, but rather just a gateway drug to get you used to the workflow that “real security” would provide in an enterprise context.
(Context: I used to work at IBM, and they had a very similar setup—company issued laptop, app that enforces MDM profile installation, VPN that checks with the app to ensure MDM is active before connecting, email servers only accessibly through said VPN, and, on top of all that, a policy-enforcing email app [IBM Notes] where you can delete already-sent things out of other enterprise-users’ inboxes, send expiring emails, etc.)